Sent records to CERT-In, in touch with FIU, regulators: WazirX’s Nischal Shetty

Nischal Shetty, founder and CEO, WazirX

India's largest crypto exchange, WazirX, is currently working on finalising a solution to restart its platform while also attempting to recover $230 million worth of crypto assets lost in a cyberattack on one of its multisig wallets, a top official said.

Multisig wallets are crypto wallets that require two or more private keys to unlock and withdraw funds.

The exchange lost nearly 45 percent of its holding assets in this hack on July 18.

Moneycontrol had exclusively reported that the exchange had also reached out to its former partner and the world’s largest exchange Binance for possible support as a good chunk of WazirX’s revenues is still under Binance’s control, as per sources.

WazirX's theft comes at a critical juncture, when the Indian crypto players were gearing up to restart negotiations with the government bodies to come up with regulations for the sector. These discussions were supposed to  happen after the elections and the Union Budget concluded.

In a detailed interview with Moneycontrol, WazirX’s founder and CEO Nischal Shetty answered questions on recovery plans, ongoing talks with the government and global peers, and more.

Edited excerpts:

A third of India’s crypto investors use your platform. Do you think this leak will jeopardise the trust in WazirX and crypto in general? How does WazirX plan to win that trust back?

In many of the hacks in history, the exchange gets hacked and then the funds are withdrawn from the so-called hot wallets. Because in hot wallets, your keys are on the server and hackers get access to the key. In our case, that was not the issue because our servers were never hacked. Our systems are not compromised.

So the standard industry practice is you move the majority of your funds into a cold wallet. And a cold wallet is where the keys that are needed for making the transaction on that wallet is, not on any server. Since you don't have any keys, which means if the keys are not online, it cannot be hacked. Also you have multiple people whose keys are needed.

There is no single point of failure. In our case, we had four signers. Three from our company and one from Liminal, which is a third party.

If there is a compromise, on these three people who are signing from our company, there is the final fourth line of defense, which is a third party custodian whose only job is to do this. Because we as an exchange have to do 20 different things. But as a custodian, their job is to be the last line of defense.

So that even if there is some compromise on our end, in terms of signing, they are keeping it secure. Unfortunately, they ended up signing this malicious transaction as well. And that is where the whole defense of the tokens, everything just opened up to the attacker…We have done a forensic testing of our devices. The only hack, if it is on our side, is going to be those three computers that are used for signing.

Currently, in India, users cannot directly withdraw cryptos and hold it in cold wallets.  They need to sell it off and then convert it into INR and that is how they can withdraw money? Can you clarify.

No, it depends. There are two categories of customers. The ones who do not deposit INR, they can trade and withdraw crypto. But the ones who deposit INR, we have the most stringent compliances to allow.

For that category also, it's not like a complete block, but only after several compliance checks and all - for a small number of people where we can know that for sure we can trust – we allow. It's a very manual process. But for the majority, we don't. We can't because of compliance risks, where people deposit, and they withdraw crypto and then we get freezes on our bank account because that deposit was bad. And we get to know this after one or three months. We won't allow crypto withdrawals till there is regulatory clarity.

Are you in conversation with the regulators and the government on this? Have they reached out to WazirX? Are they helping in solving this crisis?

Yeah, we're in touch with everyone. We're talking to various government bodies to figure out how we can get their help in catching the perpetrators, tracing the funds and other methods in this situation for recovery.

It's still early days. With the FIU (Financial Intelligence Unit – India) for example, there have been constant calls from our team to understand and we have been updating them. We filed a police complaint, now that has to get into its process. So it's still yet to completely take off.

Right now, it's in the discussion stage on what happened, how it happened.

We have sent records to CERT-In (Indian Computer Emergency Response Team). They've gotten on calls. They have been understanding the situation. So right now, it's in advanced stages, and they've understood what has happened.

And how is the ministry (Meity) and FIU reacting at this point?

There are two aspects of an exchange. One is you could lose the money by misusing the money, by using it for other stuff. And there have been cases of that, like FTX was an internal theft where they chose to use that money.

Versus we are a victim of a cyberattack, not a fly-by-night hacker who's sitting in a room, but an entire organization (North Korea’s Lazarus Group) which is known to do this for several years on several exchanges and several other entities, banks included. It is state sponsored. So I think many are understanding that this is a cyber attack.

On WazirX, we've never used the customer funds for even staking, way to earn rewards or passive income on long-term holdings. We purely have custody. We only kept it in the cold wallet for signers. So it's not like we touch the money, but from that cold wallet also these hackers found a way to attack it and remove it.

That is understood by everyone who's trying to talk to us.

When do you expect the results of the forensic tests to be out?

We can only speak for our devices. There are three devices and this is going to be an extensive exercise. So they are starting with device 1 which is the most probable device, and we should get the detailed analysis of it by end of this week or early next week. Then they will start device 2 and 3.

We understand that WazirX has reached out to Binance to seek help as they control your WRX tokens...

The earlier case with them is still ongoing, so we have no comments on this.

Are you expecting support from other global exchanges to bail you out of this situation? Historically, Binance is known to help other exchanges in such situations. Have you been in talks with global peers and the community?

I'm personally reaching out to everyone. And we are in discussions. But the amount is such that no one can take that decision overnight.

It's going to take time. And we are dealing with the pressure to solve it, but also the other thing is, a lot of our customers are asking to open up the platform.

Now, if you want to be able to find value, you need to provide value. You can't have partial solutions here. If you want to find a potential (buyer), let's say, someone who can take over or come in, they would need the whole situation to be where they can decide that this is the value in the system and we will come.

So, that's why we came up with this plan (to lock 45% of customers' crypto assets in USDT, while allowing them to trade only 55% of their assets) as a stopgap. That you can immediately withdraw and we'll have to lock the 45% of everyone. And when a potential buyer or anyone who steps in, then the rest can be figured out. So, this was our solution.

We wanted to socialize (the loss) and understand whether people want it or not.

Also read: WazirX recovery plan faces flak from customers, crypto influencers after $230-mn hack

Is there a possibility that Binance might pitch in to help out? And also, if you could share any other exchanges or global peers or community folks you might have reached out to? 

I can't name any names right now because it's so early. I think it will be unfair to the people we are discussing with. But having said that, we are discussing with anyone and everyone. We are not thinking about anything but, how we resolve this for our customers.

Your 55/45 recovery plan is facing backlash from customers? How do you see this play out and help in quick recovery of funds? And why did you choose to lock 45% of funds in USDT? 

We are a large platform. And this situation is such that you cannot find a solution where everyone will be happy. It is what it is. We wanted to find a fair approach. Like, a fair approach where you can apply it throughout.

One thing that you can't do is being unfair to a certain section and we can’t do different deals for everyone. This is throughout for all. So, this seems like the straightforward thing.

This is something we have seen from history. Like Bitfinex had the same situation. They too socialized the loss. They deducted 36% from all of the accounts. All of the accounts that were involved on the exchange.

And then they locked that in USDT denominator value. We are not locking in USDT. We are just saying the value is in USDT. And this is because when your deduction happens, let's say, from your account, and there are some assets, we'll have to move it to someone who has more than 45% affected.

They'll get 70 or 80. From your account, we have to rebalance someone else's portfolio. And if we don't lock it at the price that we do that at, recovery becomes very hard for us because if the crypto market keeps going up, they will change.

Right now, people might say because there's a bull market inside. But let's say recovery takes longer and a bear market comes. Then they also lose out. That value will suddenly drop to 10% or 20% of the value. That's where bear markets go.

It's a very fluctuating price point if you keep it in that same asset. So, what we said is let's fix the price that this is the price of today. It's more to do with bringing stability.

Any other plans on recovery?

All of these are very initial ideas and these things take time to implement. But this is again looking at what has happened historically. We've seen Bitfinex doing airdrops and I think they eventually bought out from the future profit they made. They bought those tokens back from the future profit.

That’s the other thing that maybe you can come up with a new token project and airdrop a lot of those tokens to the community. So that when the token project goes live with whatever concepts and stuff, then the community will benefit from that rising value.

Also read: WazirX’s $230-mn hack will stall the crypto industry’s progress with regulators